[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-announce] Jetty 9.3.x/Windows Security Vulnerability CVE-2016-4800

Jetty 9.3.0 to 9.3.8 inclusive is vulnerable to an aliasing issue when running on Windows platform.
The vulnerability allows raw file resources protected by security constraints or in WEB-INF to be revealed. Â Â Only resources within the webapp are vulnerable.

The issue was fixed in release jetty-9.3.9, which is available via eclipse download or in the maven central repository. A work around is also documented in the ocert announcement below. Rewrite rules and/or filters can be installed that disallow URIs containing the \ character.

http://www.ocert.org/advisories/ocert-2016-001.html

This vulnerability is an example of an alias vulnerability, where a resource on the file system can be accessed via different names.  Thus if a security configuration allows all URIs except for specific patterns, then any aliases that bypass the specific patterns can create a security vulnerability. Since updates to files systems and/or JVM libraries can (and has) introduced new types of aliases, it is Âgood security practise is to install a deny constraint on all URIs and then selectively allow specific URIs.

The CVE is not yet visible in theÂNVD database.

The Jetty team would like to acknowledge the assistance of ocert in finding and handling this issue.

--
Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com